1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
#!/bin/sh
# panic: mutex pcbinfohash not owned at
# /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:717
# cpuid = 0
# time = 1573247472
# KDB: stack backtrace:
# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame
# 0xfffffe0022a56260
# vpanic() at vpanic+0x1c7/frame 0xfffffe0022a562d0
# panic() at panic+0x43/frame 0xfffffe0022a56330
# __mtx_assert() at __mtx_assert+0x18b/frame 0xfffffe0022a56370
# in6_pcblookup_local() at in6_pcblookup_local+0x53/frame 0xfffffe0022a563c0
# in_pcb_lport() at in_pcb_lport+0x3fd/frame 0xfffffe0022a56450
# in_pcbbind_setup() at in_pcbbind_setup+0x28b/frame 0xfffffe0022a564f0
# in_pcbconnect_setup() at in_pcbconnect_setup+0x4aa/frame 0xfffffe0022a565b0
# udp_send() at udp_send+0xee4/frame 0xfffffe0022a566c0
# udp6_send() at udp6_send+0x4e8/frame 0xfffffe0022a56870
# sosend_dgram() at sosend_dgram+0x54f/frame 0xfffffe0022a568e0
# sosend() at sosend+0xc6/frame 0xfffffe0022a56950
# kern_sendit() at kern_sendit+0x32d/frame 0xfffffe0022a56a00
# sendit() at sendit+0x226/frame 0xfffffe0022a56a60
# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0022a56ac0
# amd64_syscall() at amd64_syscall+0x473/frame 0xfffffe0022a56bf0
# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0022a56bf0
# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x41c3aa, rsp =
. ../default.cfg
cat > /tmp/syzkaller2.c <<EOF
// https://syzkaller.appspot.com/bug?id=062e9fde55f117bec30836a4ef1ef121f51faf23
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/syscall.h>
#include <unistd.h>
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul);
intptr_t res = 0;
res = syscall(SYS_socket, 0x1cul, 2ul, 0ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200001c0 = 0;
syscall(SYS_setsockopt, r[0], 0x29ul, 0x1bul, 0x200001c0ul, 4ul);
*(uint8_t*)0x20000100 = 0x1c;
*(uint8_t*)0x20000101 = 0x1c;
*(uint16_t*)0x20000102 = htobe16(0x4e21);
*(uint32_t*)0x20000104 = 0;
*(uint8_t*)0x20000108 = 0;
*(uint8_t*)0x20000109 = 0;
*(uint8_t*)0x2000010a = 0;
*(uint8_t*)0x2000010b = 0;
*(uint8_t*)0x2000010c = 0;
*(uint8_t*)0x2000010d = 0;
*(uint8_t*)0x2000010e = 0;
*(uint8_t*)0x2000010f = 0;
*(uint8_t*)0x20000110 = 0;
*(uint8_t*)0x20000111 = 0;
*(uint8_t*)0x20000112 = -1;
*(uint8_t*)0x20000113 = -1;
*(uint8_t*)0x20000114 = 0xac;
*(uint8_t*)0x20000115 = 0x14;
*(uint8_t*)0x20000116 = 0;
*(uint8_t*)0x20000117 = 0xaa;
*(uint32_t*)0x20000118 = 0;
syscall(SYS_sendto, r[0], 0ul, 0ul, 0ul, 0x20000100ul, 0x1cul);
return 0;
}
EOF
mycc -o /tmp/syzkaller2 -Wall -Wextra -O2 /tmp/syzkaller2.c ||
exit 1
rm /tmp/syzkaller2.c
(cd /tmp; ./syzkaller2)
rm -f /tmp/syzkaller2 /tmp/syzkaller2.core
exit 0
|
